Skip to content

Update dependency daphne to v4.2.2 [SECURITY]#82

Open
renovate[bot] wants to merge 1 commit into
devfrom
renovate/pypi-daphne-vulnerability
Open

Update dependency daphne to v4.2.2 [SECURITY]#82
renovate[bot] wants to merge 1 commit into
devfrom
renovate/pypi-daphne-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
daphne (changelog) ==4.2.0==4.2.2 age confidence

daphne: Unauthenticated attackers can cause excessive memory consumption by sending arbitrarily large WebSocket messages/frames

CVE-2026-44545 / GHSA-rrc9-mx66-ffcm

More information

Details

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


daphne: WebSocket handshake header smuggling through autobahn splitlines() mishandling of non-standard line separators

CVE-2026-44546 / GHSA-xh68-hfp5-5x5m

More information

Details

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.

Severity

  • CVSS Score: 3.7 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

django/daphne (daphne)

v4.2.2

Compare Source

  • Fixed a denial of service vulnerability via unbounded WebSocket message sizes.
    Daphne previously passed no message or frame size limits to autobahn,
    whose defaults are unbounded. This allowed an unauthenticated client
    to exhaust server memory by sending a very large WebSocket
    messages/frames (CVE-2026-44545).

    Both limits now default to 1 MiB and can be configured via the new
    --websocket-max-message-size and --websocket-max-frame-size CLI
    flags (or the matching Server constructor arguments). Pass 0 to
    restore the previous unlimited behaviour.

    Thanks to ParkHyunWoo for the report.

  • Fixed a header injection vulnerability on the WebSocket upgrade path
    (CVE-2026-44546).

    Header values containing \x0b, \x0c, \x1c, \x1d, \x1e,
    or \x85 were parsed as a single header by Twisted but split into
    multiple headers by autobahn during the WebSocket handshake. An attacker
    could exploit this parser differential to smuggle additional headers
    (e.g. authentication tokens, X-Forwarded-For, Origin,
    Daphne-Root-Path) into the ASGI scope passed to the application.

    Daphne now rejects requests carrying these bytes in any header value with
    a 400 Bad Request response, as required by RFC 9110 §5.5.

    Thanks to Rene Henningsen for the report.

v4.2.1

Compare Source

  • Fixed a packaging error in 4.2.0.

  • Removed --nostatic and --insecure args to runserver command when staticfiles
    app is not installed.


Configuration

📅 Schedule: (in timezone Etc/UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants